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Abstract. Given a large positive integer N, how quickly can one construct a prime 
number larger than N (or between ./V and 2N)1 Using probabilistic methods, one can 
obtain a prime number in time at most log ' 1 '* N with high probability by selecting 
numbers between N and 2N at random and testing each one in turn for primality until 
a prime is discovered. However, if one seeks a deterministic method, then the prob- 
lem is much more difficult, unless one assumes some unproven conjectures in number 
theory; brute force methods give a 0(N 1+0 ^) algorithm, and the best unconditional 
algorithm, due to Odlyzko, has a runtime of 0{N x / 2+0 ^). 

In this paper we discuss an approach that may improve upon the 0{N 1 / 2+0 ^) 
bound, by suggesting a strategy to determine in time (9(A 1 / 2_C ) for some c > 
whether a given interval in [N, 2N] contains a prime. While this strategy has not been 
fully implemented, it can be used to establish partial results, such as being able to 
determine the parity of the number of primes in a given interval in [TV, 2N] in time 
0{N 1 l 2 - c ). 



1. Introduction 



W^j] consider the following question: given a large integer N, how easy is it to generate 
a prime number that is larger than iV? 

Of course, since there are infinitely many primes, and each integer can be tested for 
primality in finite time, one can always answer this question in finite time, simply by 
the brute force method of testing each integer larger than N in turn for primality. So the 
more interesting question is to see how rapidly one can achieve this, and in particular 
to see for which A = A(N) is it possible for a Turing machine (say) to produce a prime 
number larger than N in at most A steps and using at most A units of memory, taking 
only the integer N as input. If A is such that this task is possible, we say that a prime 
number larger than N can be found "in time at most A" . 

Note that if one allows probabilistic algorithms (so that the Turing machine also has 
access to a random number generator for input), then one can accomplish this in time 
polynomial in the length of N (i.e. in time at most log°^ N); indeed, one can select 
integers in [N, 2N] at random and test each one for primality. (Here we use the usual 
asymptotic notation, thus 0(X) denotes a quantity bounded in magnitude by CX where 
C is independent of N, and o(l) denotes a quantity bounded in magnitude by c(N) for 
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1 A list of people involved in this Polymath project can be found at 
michaelnielsen. org/polymathl/ index .php?title=Polymatri4_grant .acknowledgments. 



2 



D.H.J. POLYMATH 



some c(N) going to zero as iV — > oo.) Using algorithms such as the AKS algorithm pQ, 
each such integer can be tested in time at most log°^ N, and by the prime number 
theorem one has about a 1/ log iV chance of success with each attempt, so the algorithm 
will succeed with (say) 99% certainty after at most log *- 1 -* N units of time. See also [10] 
for a probabilistic algorithm for detecting primes in polynomial time which predates the 
AKS algorithm, as well as a deterministic algorithm for detecting primes in a certain 
subset of the primes. 

If however one insists on deterministic methods, then the problem becomes substantially 
harder. The sieve of Eratosthenes will supply all the primes between iV and 2N, but 
requires 0(N 1+ °^) units of time and memory. Using the AKS algorithm, if one can 
construct a subset E of [N, 2N] in time at most A that is guaranteed to contain at 
least one prime, then by testing each element of E in turn for primality, we see that 
we can obtain a prime in time at most A + 0(N°^\E\). Thus, for instance, using 
Bertrand's postulate one recovers the 0(N 1+0 W) bound; using the unconditional fact 
that [N, N + A^ ' 525 ] contains a prime for every large A" (see [2]) we improve this to 
O(N - 525+o ^); and if one assumes the Riemann hypothesis, then as is well known we 
obtain a prime in an interval of the form [TV, A" + A^ ' 5 ^ 1 )] for all large N, leading to a 
bound of O(N - 5+o ^). 

There are other sparse sets that are known to contain primes. For instance, using the 
result of Heath-Brown [7] that there are infinitely many primes of the form a 3 + 26 3 
(which comes with the expected asymptotic), the above strategy gives an unconditional 
algorithm with time 0(N 2 ^ 3+o( - 1 ' > ), since the number of integers in [N, 2N] of the form 
a 3 + 2b 3 is comparable to N 2 ^ 3 . More generally, if one assumes Schinzel's hypothesis 
H, which predicts the asymptotic number of primes inside any polynomial sequence 
{P(n) : n G N}, and in particular inside the sequence n k + 1 for any fixed k = 1,2, . . ., 
then the same argument would give a deterministic prime-finding algorithm that runs 
in time 0(N 1 ^ k+0 ^). Unfortunately the asymptotic for primes of the form n k + 1 is not 
known even for k = 2, which is a famous open conjecture of Landau. 

A famous conjecture of Cramer [I] (see also [6] for refinements) asserts that the largest 
prime gap in [N,2N] is of the order of 0(log 2 A^), which would give a deterministic 
algorithm with run time 0(log°^ N). Unfortunately, this conjecture is also well out 
of reach of current technology (the best bound on prime gaps being the O(N - 525+o ^) 
result from [2] mentioned earlier, or 0(^N log N) assuming the Riemann hypothesis 

HI)- 

Another way to proceed is to find an efficient way to solve the following decision problem: 
given a sub interval [a, b] of [N, 2N] , how quickly can one decide whether such an interval 
contains a prime? If one could solve each such problem in time at most A, then one 
could locate a prime in [N, 2N] in time 0(A log N), by starting with the interval [N, 2N] 
(which is guaranteed to contain a prime, by Bertrand's postulate) and then performing 
a binary search, repeatedly subdividing the interval into two approximately equal pieces 
and using the decision problem to locate a subinterval that also contains a prime. 
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Because primality testing is known to be in the complexity class P (see [T]), we see that 
the above decision problem is in the complexity class NP. Thus, if P = NP, we could 
locate a prime deterministically in time at most log°^ N. Of course, this conjecture is 
also unproven (and is widely believed to be false). 

Given that there is a probabilistic algorithm to locate primes in time polynomial in the 
digits, it may seem that the conjecture P = BPP would be able to quickly imply a 
fast algorithm to locate primes. Unfortunately, to use the P = BPP conjecture, one 
would presumably need to obtain a bounded-error probabilistic polynomial (BPP) time 
algorithm for solving the above decision problem (or some closely related problem), and 
it is not clear how to achieve thisB 

One way to solve the above decision problem would be to find a quick way to compute 
ir(x), the number of primes less than or equal to x, for x in [N, 2N], since an interval [a, b] 
contains a prime if and only if n(b) — 7c(a — 1) > 0. The fastest known elementary method 
to compute ir(x) is the Meissel-Lehmer method [8], [5], which takes time 0(x 2 ^ 3 / log 2 x) 
and leads to a 0(N 2 ^ +o( - 1 ' ) ) algorithm. 

On the other hand, if one can calculate n(x) for x £ [N, 2N] approximately in time A to 
a guaranteed error of L (say), then a modification of the above arguments shows that 
in time 0(N o( $A), one can find a subinterval of [N, 2N] of length 0(N°^L). (The 
only thing one has to be careful of is to ensure in the binary search algorithm that the 
density of primes in the interval is always 3> 1/ log N, but this is easily accomplished.) 
It was observed by Lagarias and Odlyzko [9J that by using an explicit contour integral 
formula for tt(x) (or the closely related expression ip(x) = ^2 n<x A(n)) in terms of the 
Riemann zeta function, one could compute ir(x) to accuracy L using 0(N°^j;) time^J 
This is enough to obtain an interval of length 0(N 1 ^ 2+ °^) that is guaranteed to contain 
a prime, in time 0(iV 1/ ' 2+0 ( 1 )); testing each such element for primality, one then obtains 
a deterministic prime- finding algorithm that unconditionally takes 0(N 1 ^ 2+ °^) time 
(thus matching the algorithm that was conditional on the Riemann hypothesis). To 
our knowledge, this is the best known algorithm in the literature for deterministically 
finding primes. 



1.1. Beating the square root barrier? We conjecture that the square root barrier 
for the decision problem can be broken: 

Conjecture 1.1. There exists an absolute constant c > 0, such that one can (deter- 
ministically) decide whether a given interval [a,b] in [N,2N] of length at most N l l 2+C 
contains a prime in time 0(N 1 ^ 2 ^ c+ °^) . 

2 For further discussion of this issue, see 

michaelnielsen.org/polymathl/ index. php?title=Oracle_counterexample_to_finding_pseudoprimes 

3 The basic idea is to use quadrature to integrate a suitable contour integral involving the zeta 
function on the interval from 2 — iT to 2 + iT : where T is comparable to N"^^. In [9] it is also 
observed that the method also lets one compute tt(x) exactly in time 0{N 1 / 2+0 ^), by smoothing 
the sum ip{x) at scale 0(N 1 ^ 2+0 ^) and using the sieve of Eratosthenes to compute exactly the error 
incurred by such a smoothing. 
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This would of course imply a bound of 0(N 1 ^ 2 ~ c+ °^) for finding a prime in [N,2N] 
deterministically, since as mentioned earlier we can locate an initial interval of length 
at most N l l 2+C containing a prime in time 0(N 1 ^ 2 ~ c+0 ^- 1 '), and then proceed by binary 
search. 

As mentioned earlier, it would suffice to be able to compute ir(x) in time 0(x 1 / 2 ~ c+ °( 1 ' ) ). 
We do not know how to accomplish this, but we have the following partial result: 

Theorem 1.2 (Computing the parity of n(x)). There exists an absolute constant c > 0, 
such that one can (deterministically) decide whether a given interval [a,b] in [N,2N] of 
length at most N l / 2+c contains an odd number of primes in time 0(N 1 ^ 2 ~ c+0 ^) . 



We prove this result in Section [2] the key observation is that the parity of the prime 
counting function n(x) is closely connected to the divisor sum function J2 n<x t(ti), which 
will be computed efficiently by invoking the standard Dirichlet hyperbola identity 

n<x d\n n,m:nm<x 
~ ~ (1-1) 

= X>(n)F(-)+ f{m)G{-)-F{y)G{x/y) 

n<y m<%/y 

for any functions /, g : N — > R, where F(x) := Y^ n <xf( n ) and G(x) := Ylm<x 9( m )'i see 
for instance [T3j §3.2, Theorem 1]. 



Note that once one has Theorem 1.2 and assuming that one can find an interval [a, b] 
which contains an odd number of primes, then the binary search method will locate 
a prime deterministically in time 0(N 1 ^ 2 ~ c+ °^), since if one subdivides an interval 
containing an odd number of primes into two subintervals, then at least one of these 
must also contain an odd number of primes. However, we do not know of a method to 
quickly and deterministically locate an interval with an odd number of primes. 

In fact we can establish the following stronger result. Given an interval [a, b], we define 
the prime polynomial P(t) = P a ,b(t) as 

Pa,b(t) ■= E ^' 
a<p<b 

where p ranges over primes in [a, b]. Thus for instance [a, b] contains a prime if and only 
if .P(l) is non-zero, or equivalently if P(t) mod 2 is non-zero, where we view P(t) mod 2 
as an element of the polynomial ring F 2 [t] over the field F 2 of two elements. 

Given a polynomial P(t) over a ring R, we say that P has circuit complexity O(M) 
if, after time O(M), one can build a circuit of size O(M) consisting of the arithmetic 
operations (addition, subtraction, multiplication, and division^), as well as the primitive 
polynomials l,t, whose output is well-defined in R[t] and is equal to P. 



4 Traditionally, division is not considered an arithmetic operation for the purpose of circuit complex- 
ity, but it is convenient for us to modify the definition because we will be taking advantage of division 
at a few places in the paper. Also note that in our definition, it is not enough for a circuit to merely 
exist; it must also be constructible within the specified amount of time. 
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Theorem 1.3. Suppose that [a,b] is an interval in [N,2N] of size at most N l ^ 2+C for 
some sufficiently small c. Then the polynomial P a .b(t) mod 2 has circuit complexity 



We prove this theorem in Section [3] 

Observe that if g G F 2 [t] is a polynomial of degree at most N c l 2+0 ( l \ then any arith- 
metic operation in the quotient space F 2 [t]/(g) can be performed in time 0(N c ^ 2+ °^) 
(using the fast multiplication algorithm to evaluate multiplication in this space, and 
Euler's theorem and the power method to perform multiplicative inversion). As a con- 
sequence of this and the above theorem, we see that P a ,b{t) mo d (2 , g) can be computed 
in time 0(N 1 ' 2 ~ c ' 2+0 ^). When g(t) — t — 1, this is Theorem 1.2, But this theorem is 



more general. For instance, applying the above argument with g equal to a cyclotomic 
polynomial, it is not difficult to see that one can compute the parity of the reduced 
prime counting functions tt(x; a, q) := \{p < x : p = a mod q}\ for any positive integer 
q = 0(N c l w ) in time 0(N l l 2 ~ c l A+ °^). Unfortunately, we were not able to use this to 
unconditionally establish Conjecture it is a priori conceivable (but quite unlikely) 
that an interval [a, b] might contain a non-zero number of primes, but have an even 
number of primes in every residue class mod q with q = 0(N C ^ W ). 

On the other hand, as the prime polynomial P a ,b(t) mod 2 has degree O(N), it is easy 
to see that the proportion of polynomials of degree at most iV c / 4 that do not divide 
P a ,b(t) mod 2 is bounded away from zero. (Indeed, a positive proportion of such poly- 
nomials contain a prime factor of degree at least iV c / 8 , but by unique factorization, there 
are O(N) such primes, and each one only divides at most 2~ Nc/8 of the polynomials of 
degree at most iV c / 4 .) As such, we see that we can obtain a bounded-error probabilistic 
algorithm for solving the decision problem that runs in time OiN 1 / 2 -^ 2 ^), by testing 
whether the prime polynomial P a ,b(t) vanishes modulo 2 and g{t), where g is a randomly 
selected polynomial of degree at most N C I A . Unfortunately, the run time of this algo- 
rithm is not polynomial in the number of digits, and so the P = BPP hypothesis does 
not yield any improvements over existing algorithms. 

In Section [4] we discuss possible strategies that could lead to a full resolution of Con- 
jecture 



1.2. About this project. This paper is part of the Polymath project, which was 
launched by Timothy Gowers in February 2009 as an experiment to see if research math- 
ematics could be conducted by a massive online collaboration. This project (which was 
administered by Terence Tao) is the fourth project in this series. Further information on 
this project can be found on the web site [TT]. Information about this specific polymath 
project may be found at 

michaelnielsen . org/polymathl/ index . php?title=Finding_primes 

and a full list of participants and their grant acknowledgments may be found at 
michaelnielsen. org/polymathl/ index. php?title=Polymath4_grant_acknowledgments 
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We thank Ryan Williams and Tomas Oliveira e Silva for corrections, Jeffrey Shallit for 
a reference, and the anonymous referee for many cogent suggestions and corrections. 



2. Computing the parity of tt(x) 



We now prove Theorem L2 Let c > be a small number to be chosen later. Let 
r(n) := J2d\n 1 ^ e ^ ne num ber of divisors of n, and let uj{n) := J2 P \ n 1 ^ e ^ ne num ber of 
distinct primes that divide n (with the convention that = 0). One easily verifies 
the identity 

2«(«) = fi(d)T(n/d 2 ) (2.1) 

d:d 2 \n 

where /i is the Mobius function^ by checking this first on prime powers and then using 
multiplicativity. Now for n > 1, is divisible by 4, except when n is a prime power 
n — p*, in which case it is equal to 2. This gives the identity 

oo 

E 2 w(n) = 2 E |{p G [a 1/j , b 1/j ] : p prime}| mod 4. 

a<n<b j=l 

Clearly we may restrict j to size O (log AT). For any j > 2, the interval [a 1 ^ , b l 'i\ has 
size 0(N C ) (by the mean value theorem), and so the j th summand on the RHS can be 
computed in time 0(N c+ °^) by the AKS algorithm [I]. Thus we see that to prove 
Theorem 1.2 it will suffice to compute the quantity 

a<n<b 

in time C^Af 1 / 2-0 " 1 "^ 1 )). Using ( |2.1[ ), we can expand this expression as 

E^) E r ( m )- ( 2 - 2 ) 

d a/d 2 <m<b/d 2 



Clearly d can be restricted to be 0(N 



1/21 



We first dispose of the large values of d in which d > N 0A9 (say). Then m = 0(N om ) 
so we can rearrange this portion of (12.21) as 



E E KW. (2.3) 

For each value of m, there are 0(N C ) possible values of d, each of size 0(N 1 ^ 2 ). Each 
such d can be factored using trial division in time 0(N 1 ^ + °^) (or one can use more 
advanced factoring algorithms if desired), and so each of the O(N°' 02+c ) summands 
can be computed in time 0(A^ 1//4+ ° < - 1 ^), giving a net cost of O(N ' 27+c+o ^) which is 
acceptable for c small enough. 



5 The Mobius function is defined by setting fi(pi . . .pk) '■= {— l) fe for any product pi ■ ■ - Pk of distinct 
primes P\, ■ ■ ■ ,Phi an d M n ) = whenever n is not square-free (i.e. it is divisible by a perfect square 
larger than 1). 
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For the remaining values of d, we can use the sieve of Erathosthenes to factorise all 
the d (and in particular, compute fx(d)) in time O(N 0A9+o ^). So the main task is to 



compute the inner sum of (2.2) for such d 



We will shortly establish 

Theorem 2.1. The expression Yl n <x T ( n ) can ^ e computed in time O(x 1//2_C0+o( - 1 - ) ) for 
some absolute constant Co > 0. 



Assuming this for the moment, we see that for each d < N 0A9 , the summand in (2.2) can 
be computed in time 0(N°^ 1 ' > (N / d 2 ) l l 2 ~ c °) . Summing in d, we obtain a total time cost 
of O(A/" 1/2_C0 / 10+o(1) ) (say), which is acceptable if c is chosen small enough depending 
on c . 



So it suffices to establish Theorem |2.1 The argument here is loosely inspired by the 



arguments used to establish the elementary bound ^2 n<x r(n) = xlogx — (27 — l)x + 
0(3.1/3+0(1)) in Chapter 3]. 

Clearly we may shift x to be a non-integer. We then apply the Dirichlet hyperbola 



identity (1.1) (with / = g = 1 and y = y/x) to expand 

n<x n<yfx 

It thus suffices to evaluate the integer 

n<^/x 

in time O(x 1 ' 2 ~ C0+o ^) . In fact, we have 

Proposition 2.2 (Complexity of the hyperbola). In time O(x 0A9+o ^) , one can obtain 
a partition of the discrete interval {n : 1 < n < y/x} into 0(x°- 49+o ( 1 )) arithmetic 
progressions, with the function n i-> I linear on each arithmetic progression. 



Since one can use explicit formulas to sum any linear function with coefficients of size 
0(x) on an arithmetic progression of integers of size 0(x) in time 0(x°^), Theorem 
|2.1| now follows immediately from the above proposition. 

Proof. By using the singleton sets {n} to partition all the numbers less than x 0,49 , we 
see that it suffices to partition the interval {n : x 0,49 <n< \/x}. 



Let x 49 < Uq < \fx be arbitrary, and set Q := x 0A . By the Dirichlet approximation 
theorem, there exist integers 1 < q < Q and a > 1 such that |-% — -I < 4?. These 

' to — ^ — ^ — 1 no <? 1 — qQ 

integers can be easily located in time 0(x°^) using continued fractions. We now expand 
the quantity - where n = n + Iq + r, / > 0, and < r < q. Since 



I ■ _ y_ y 

o + 



2 



n + y n n 2 ng(n + y) 



8 



D.H.J. POLYMATH 



for any y, we have 



x x x{lq + r) 



+ 



x(lq + r) 2 




n o( n o + y)' 



We expand = - + -|> for some explicitly computable \6\ < 1, to obtain 




91 xr x(lq + r) 2 



- =-al+ [P(l)\ 
LnJ 

where P = P x ,n ,a,q,9,r is the rational function 

x xr #Z x(Zg + r) 2 




n n 2 , Q n^(n + /g + r)' 



The first two terms on the right-hand side are independent oi I. If we restrict I to the 
range < I < Q, then the third term has magnitude at most 1, and the fourth term 
has magnitude at most 



Thus (for x large enough) we see that P fluctuates in an interval of length at most 3, 
and so [P(l)\ takes at most three values. For any such value k, the set {I : [P(l)\ = k] 
is a union of intervals, bounded by the sets {I : P(l) = k} and {/ : P(l) — k + 1}. As P 
is a rational function in / of bounded degree, we see from Bezout's theorem that these 
latter sets have cardinality 0(1), and so the set {I : \_P(l)\ = k} is the union of 0(1) 
intervals. Furthermore, the endpoints of these intervals can be computed explicitly in 
time 0(x°^), by using the explicit formula for the solution of the cubic. We conclude 
that in time 0(x°^), one can partition each arithmetic progression {n + lq + r : < I < 
Q} for < r < q into 0(1) subprogressions, with n i— >■ |_-J linear on each subprogression. 
Performing this once for each residue class r mod q, we see that in time 0(x°^q), we 
can partition the interval {n : n < n < n + qQ} into 0(g) progressions, with n (->■ [^J 
linear on each progression. If we apply this observation with n set equal to the left 
endpoint of the interval {n : a; 0,49 < n < \^x}, we may partition an initial segment 
of this interval into progressions with the required linearity property. Removing this 
initial segment, and iterating this procedure (updating n and q at each stage) we then 
obtain the claim. (Note that if the interval {n : n < n < no + qQ} overflows beyond 
y/x, then we may simply partition the remaining portion of the interval into singletons, 
at a cost of 0(x a2 ) progressions.) □ 

2.1. A refinement. By modifying the above argument, one can in fact compute ^ n<x r(n) 
in 0(x 1 / 3+0 ^ 1 ^) time, though this particular argument does not extend as easily to the 
polynomial setting as the one given above. We sketch the details as follows. As before, 
it suffices to compute 




-o.oi 



)• 




n<y/x 
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in time 0(x 1 ^ 3+0 ^). By dyadically decomposing the interval {n : n < y/x} into dyadic 
intervals {x : A < n < 2A} for various values of A, it suffices to compute 

A<n<2A 

in time 0(x 1 / 3+ °^) for all A < y/x. We may assume that A > lOOx 1 ^ 3 since one can 
sum the series one term at a time otherwise. 



We consider the subtask of computing a partial sum of the form 



E 

no<n<no+q 



where A < no < 2A and q is chosen so that \x/uq — a/q\ < 1/qQ with 1 < q < Q and a 
coprime to q as above, where we now optimise Q to equal Ax^ 1 ^ 3 . We claim that this 
sum can be computed in 0(x°^) time. 

As this sum is an integer, it suffices to compute the sum with an error of less than 1/2. 
Writing n = no + r and x/uq = a/q + 0/qQ and expanding as before we have 



x 



x 



ar 



9r 



+ 



xr 



n n q qQ ng(n + r) 
and thus (for < r < q) 

x x 
n no 

where we have used the assumptions q < Q = Ax~ x l 3 . 



q \q 



As r runs from to q — 1, the fractional parts of y take each of the values ^, ^, 
exactly once, since a is coprime to q. We conclude that 



q-l 



X 




X 


ar 


-11- 




n 


1 . 



for all but 0(1) values of r, each of which can be computed explicitly in 0(x°^) time. 
So we are left with computing 



E 

0<r<g 



X 

no 



ar 



E 

0<i<<j 



X 

n 



which can easily be computed in 0(x°^) time, and the claim follows. 

A modification of the above argument shows that we can in fact compute Ylm <n<n +kq LnJ 
in 0(x°^) time whenever kq = 0(Q). As such, we can compute the entire sum 
Xm<«<2A ln\ i n ^ me 0(x°^A/Q) = 0(x l / 3+ °^) by summing in blocks of size Q, 
and the claim follows. 
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3. The circuit complexity of the prime polynomial mod 2 



We now modify the above arguments to establish Theorem 1.3 We begin by showing a 
non-trivial gain in circuit complexity for a quadratic sum. 

Lemma 3.1. Let a,b,c,q = O(N) be integers, then the expression 

<z-i 

^ y jjcirn 2 +bm+c (3 1) 

has circuit complexity O(N°^q 1 ~ C0 ) in the polynomial ring Z[t] for some absolute con- 
stant Co > 0. 

Note that this is a power saving over the trivial bound of 0(N°^q) (note that by re- 
peated squaring, any monomial t n with n = 0(N ^) has circuit complexity 0(N°^)). 

Proof. It suffices to establish this lemma when q is a perfect cube q = Q 3 , as the general 
case can then be established by approximating q by the nearest cube and evaluating 
the remaining 0(q 1 ^ 3 ) terms by hand. 

Next, we expand m in base Q as m = i + Qj + Q 2 k for < i, j, k < Q. We can then 
expand am 2 + bm + c as a quadratic polynomial in k, which we split as 

am 2 + bm + c = U(i, j) + V(j, k) + W(k, i) 

for some explicit quadratic polynomials U, V, W, whose coefficients have polynomial size 



in N. We can then express (3.1) as 

Q-i O-l Q-i 

^2 v ^2 t uii ' j h v{j ' k) t w(k ' i) 

i=0 j=0 k=0 

or more compactly as 

tr(ABC) 

where A, B, C are the Q x Q matrices 

A := (t U ^) <i, j<Q ; B := (t v ^ ] ) < hk<Q ; C := (t w ^) < k , i<Q . 

Each of the matrices A, B, C has a circuit complexity of 0(N°^Q 2 ). Using the Strassen 
fast matrix multiplication algorithm [12J, one can multiply A,B,C together using a 
circuit of complexity 0(Q 3 ~ C °) for some absolute constant Cq > 0. Taking the trace 
requires another circuit of complexity 0(Q). Putting all these circuits together and 
recalling that Q = q 1 ^ 3 , one obtains the claim. □ 



It would be of interest to see if similar power savings can also be obtained for analogous 
sums in which the quadratic exponent an 2 + bn + c is replaced by a higher degree 
polynomial. It may be that a generalisation of the Strassen algorithm to tensors would 
be relevant for this task. 



Next, we need the following modification of Proposition 



2.2 
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Proposition 3.2 (Complexity of the hyperbola, II). There exists an absolute constant 
c > such that if < c < c is sufficiently small, then for any < x' < x with 
x — x' < x 1 / 2+c , and in time O(x 1 ^ 2 ~ C0+o ^), one can obtain a partition of the discrete 
interval {n : x 1 ^ 2 ~ c < n < y/x} into O(x 1 ^ 2 ^ C0+o ^) arithmetic progressions, with the 
function n \— > |_-J linear on each arithmetic progression, and the function n \— > 

L-J-L-J 

is constant. 



Proof. Let c > be a sufficiently small constant, and assume that < c < c is 
sufficiently small as well. Let x 1//2_c < n < y/x be arbitrary, and set Q := x 10c °. As 



in the proof of Proposition 2.2 there exist integers 1 < q < Q and a > 1 such that 
~% = " + ~7> f° r some \9\ < 1, where n = n + lq + r and < I, q, r < Q. Since n > x 1 ^ 2 ~ c , 

we have (for x large enough) that n > x 1 / 2 ~ c /2 (say). A brief computation (noting 
that \x — x'\ < x l l 2+c ) then shows that ^ = - + 4n for some l^'l < 2 if c is small enough 

II—/ ng q qQ I I — to 

and x is sufficiently large. The claim then follows by repeating the proof of Proposition 



2.2 (the main difference being that the rational function P is now replaced by a pair 



P, P' of rational functions). □ 



We now combine Lemma 3.1 and Proposition 3.2 to obtain 



Corollary 3.3. If c > is sufficiently small, then for any < a < b < N with 
b — a < N l l 2+C , the polynomial 

a<n<b 

has circuit complexity 0{N 1 ^ 2 ^ c+0<yl ^>) for some absolute constant c > 0. 



Proof. This is analogous to Theorem 2.1 We let c > be a sufficiently small quantity 
to be chosen later. 

We may assume that a, b are not integers. We expand this polynomial as 

n,m>l:a<nm,<b 

Observe that if a < nm < b, then one either has 1 < n < \/b or 1 < m < \/b, or both, 
with the last case occuring precisely when a/ \/b < n < \fb and a/n < m < \/b. In the 
first case, we rewrite the condition a < nm < b as a/n < m < b/n; in the second case, 
we rewrite that condition as a/m < n < b/m. After swapping n and m in the second 
case, we can rearrange the above polynomial as 

2 £ e * nm - Yl E fnm - 

\<n<\/ba/n<m<b/n a/Vb<n<Vb a/n<m<Vb 

The second sum contains only 0(N 2c ) terms and so can easily be verified to have a 
circuit complexity of 0(N 2c+o ^), which is acceptable. So it will suffice to show that 
the sum 

E E tnm ( 3 - 2 ) 

l<n<\/b \a/n\ + l<m<\b/n\ 
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i/2- c +o{iy 



has circuit complexity 0(N 

Using the geometric series formula, the inner sum has circuit complexity 0(N°^) for 
each fixed n. This is already sufficient to dispose of the contribution of the terms in 
fljOb for which n < N 1 / 2 ~ c , so it remains to bound the circuit complexity of 



E E «" 

Ar i/2- c+0 (i)< n < v ^ [a/n\+l<m<[b/n\ 



Using Proposition 3.2 and in time O(N l l 2 ~ C0+o ^) for some absolute constant c$ (inde- 
pendent of c), we may partition {n : N 1 / 2 ~ C0+o ^ < n < \fb} into arithmetic progressions 
Pi, . . . , Pk with k = 0{N l ' 2 ~ c ° +o ^) , such that \b/n\ is a linear function of n on each 
of these progressions, and [a/n\ — [b/n\ is constant. This constant is of size 0(N 2c ). 



Applying Lemma 3.1 (after first switching the order of summation), the sum 

E E ' 

n&Pj [a/n\+l<m<\b/n\ 



rum 



has a circuit complexity of 0(A^ 2c+0 ^ 1 ' ) |Pj| 1 C1 ) for some c\ > 0, so that (3.2) has a 
circuit complexity of 

k 

O(N 1/2 ~ C0+o( - 1) ) +J20(N 2c+0 ^\P j \ 1 - Cl ). 

j=i 

By Holder's inequality, one has 

3=1 3=1 

Since Y?j=i \ p j\ = 0(N 1 / 2 ) and k = O(N l / 2 - C0+0 ^), we obtain a total circuit complexity 
bound of 

0(N 1/2 ' CaCl+2c+ ° w ) 

and the claim follows if c is chosen sufficiently small. □ 



Now we can prove Theorem L3 We repeat the arguments from the previous section. 
First observe that 

oo 

£ 2 w(n) r = 2P ajb (t) + tpJ mod 4 - 

a<n<b j=2 a 1 ii<p<b 1 H 

Because b - a = 0(N 1 ' 2+C ) and b, a are comparable to N, we see from the mean value 
theorem that - a 1/j = 0(N C ) for all j > 2. We thus see that the total number of 
primes p in the latter sum are 0(N c+ °^) on the right-hand side, and so this sum has 
a circuit complexity of 0(N c+o( - 1,) ). Thus it suffices to show that the polynomial 



2 w(n) t n mod 4 



a<n<b 
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has circuit complexity 0(N 1 ^ 2 ~ c+ °^). Using ( |2.1[ ), we rewrite this polynomial as 

5>(<0 E r(m)t d2m . (3.3) 

d a/d?<m<b/d 2 

Clearly d can be restricted to be 0(N 1 ^ 2 ). 

Once again, we first dispose of the large values of d in which d > N 0Ag . This portion of 
(3.3) can be rearranged as 

E E MdMm)t*». 

m =0(AT°° 2 ) yfi^<d<y/bfal-,d>N -*> 

Repeating the arguments from the previous section (and specifically, the arguments 
used to compute (2.3)), this term can be given a circuit complexity of O(N - 27+c+o ^). 

For the remaining values of d, we again use the siev e of Erathosthenes to compute 
all the n(d) in time O(N 0A9+o ^). Using Lemma 3.3, each instance of the inner sum 
^2a/d 2 <m<b/d 2 T(m)t d2m has a circuit complexity of O((N/d 2 ) 1 / 2 ~ C0+o ^) for some abso- 
lute constant cq > 0. Summing in d as before, we obtain a total circuit complexity 
of 

O(jV 0.49 + o(l) + J2 O((iV/d 2 ) 1/2 ~ C0+O(1) ) 

which sums to 0(N 1 ^ 2 ~ c+ °^) as desired, for c small enough. 



4. Possible extensions 



The circuit complexity bound on the prime polynomial P a ,b{t) given by Theorem 1.3 
lets us compute P a ,b(t) mod (2,g) in time 0(N 1 ^ 2 ~ c ^ 2+ °^) for any polynomial g £ F2[t] 
of degree 0(N C ^ 4 ), if c > is sufficiently small. Unfortunately, this is not strong enough 
to deterministically determine in time 0(N l ' 2 ~~ c ' 2+0 ^) whether P a ,b{t) is non-trivial 
or not, although as mentioned in the introduction it at least gives a bounded-error 
probabilistic test in this amount of time. It may be however that by using additional 
algorithms (such as the Fast Fourier Transform, or the multipoint polynomial evaluation 
algorithm of Borodin and Moenk[3]) one may be able to compute quantities such as 
P a ,b{t) mod (2,g) for multiple values of g simultaneously in 0{N l ' 2 ~°' 2+0 ^ 1 ') time, or 
perhaps variants such as P a ,b{V) mod (2,g). However, it is a priori conceivable (though 
very unlikely) that the degree O(N) polynomial P a ,b{t) mod 2 is divisible by as many 
as 0{N l ~ c ^) irreducible polynomials g E F 2 [t] of degree 0(iV C//4 ), so it is not yet clear 
to us how to use this sort of test to deterministically settle the decision problem in 
0(N 1 ' 2 ~ c+0 ^ 1 ') time. One possibility would be to find a relatively small set of g for 
which it was not possible for P a ,b{t) mod 2 to be simultaneously divisible by, without 
vanishing entirely. Note that a somewhat similar idea is at the heart of the AKS 
primality test pQ. 

If one could compute tt(x) mod q (or n(b) — 7r(a) mod q) for each prime 1 < q < 
O(logiV) in time 0(JVV2-c+o(i)) uni f orm i y 

in q, where x,a,b = O(N), then from 
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the Chinese remainder theorem we cou ld c ompute ir(x) or 7r(6) — 7r(a) itself in time 
0(N 1 ^ 2 ~ c+ °^), thus solving Conjecture 1.1 The above analysis achieves this goal for 



q = 2. However, the methods deteriorate extremely rapidly in q. For instance, if one 
wished to compute 7r(x) mod 3 by the above methods, one would soon be faced with 
understanding the sum 



n<x a,b,c>l:abc<x 



where x = O(N) and r 2 (n) := & c:0 & c=n 1 * s the secon d divisor function. (Observe 
that the expression ^2 d . d 3\ n [i(d)T2(n/d 3 ) is divisible by 9 unless n is equal to a 1 or a 
power of a prime.) The three-dimensional analogue of the Dirichlet hyperbola method 
allows one to evaluate this expression in time 0(N 2 ^ 3+ °^). The type of arguments used 
in the previous sections would reduce cost this slightly to 0(N 2 ^ 3 ^ c+ °^) for some small 
c > but this is inferior to the bound 0(N 1 ^ 2+ °^) that can already be obtained for 
7t(x). 

We have not attempted to optimise the exponent savings c > appearing in the results 
of this paper. It may be that improvements to these exponents may be obtained by 
making more accurate approximations of the discrete hyperbola {(n, |_-J) :1 <n < ^} 
than the piecewise linear approximation given by Lemma |2.2 for instance, piecewise 



polynomial approximations may ultimately be more efficient. 

It may also be of interest to obtain circuit complexity bounds for more general expres- 
sions than the prime polynomial ^ a<p<fe t p ; for instance one could consider ^ a<p<fc t p 
or more generally Y^ a <p<b^ f° r some fixed polynomial h. 

Some progress along the above lines will appear in forthcoming work of Croot, Hollis, 
and Lowry (in preparation). 
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